Security conformity
Download
1 / 24

Security Conformity - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Security Conformity. March 10, 2011 SF Bay Area. Agenda for Thursday, March 10th. Discuss Security Testing & Certification Authority Review Security Testing Methodology Overview TCC and CSWG Testing & Certification Subgroup Revise Security Conformance & Charter.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Conformity' - jean


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security conformity

Security Conformity

March 10, 2011

SF Bay Area


Agenda for thursday march 10th
Agenda for Thursday, March 10th

  • Discuss Security Testing & Certification Authority

  • Review Security Testing Methodology

  • Overview TCC and CSWG Testing & Certification Subgroup

  • Revise Security Conformance & Charter


Interoperability testing and certification authority itca
Interoperability Testing and Certification Authority (ITCA)

  • Which security standard are considering defining an ITCA for?

  • What about researching an ITCA responsible for security testing for certifying existing standards such as OpenADE, OpenADR, OpenHAN?

  • Standards Setting Organizations responsible for ensuring security is incorporated in standard

  • This ITCA could claim that it satisfies certain set of requirements


Other issues
Other Issues

  • What are good security metrics?

  • Need a good definition of testing vs. audits and assessments


Testing metrics
Testing & Metrics

  • GAO Report – “no metrics for evaluating cyber security”

  • Utilities, Vendors, Commissions all want

  • Open Source Security Testing Methodology Manual (OSSTMM) by Institute for Security and Open Methodologies

  • NIST SP800-115 Technical Guide to InfoSec Testing & Assessment and,

  • NIST SP800-42 Guideline on Network Security Testing


Other issues1
Other Issues

  • What are good security metrics?

  • Need a good definition of testing vs. audits and assessments


Security conformity

?


Security conformity

Smart Grid Security

Testing Council

NISTIR

7628

OSSTMM

CSWG T/C

AMI SP


Osstmm purpose
OSSTMM Purpose

  • Test conducted thoroughly

  • Test included all necessary channels

  • Posture for test complied with laws and regulations

  • Results are measurable

  • Results are consistent and repeatable

  • Results contain only facts derived from tests themselves


Security test audit report
Security Test Audit Report

  • Serves as proof of a factual test

  • Holds Analyst responsible for test

  • Provides clear result to client

  • Provides comprehensive overview

  • Provides understandable metrics


Security
Security

Security is a function of a separation.

Three logical and proactive ways to create separation:

  • Move the asset to create a physical or logical barrier between it and the threats.

  • Change the threat to a harmless state.

  • Destroy the threat.


Definitions
Definitions

  • Vector = direction of the interaction

  • Attack Surface = Lack of specific separations and functions that exist for a vector

  • Attack Vector = A sub-scope of a vector created in order to approach the security testing of a complex scope in an organized manner

  • Safety = A form of protection where the threat or its effects are controlled (e.g., breaker)


Definitions cont
Definitions cont.

  • Controls = Impact & loss controls (see notes)

  • Operations = the lack of security needed to be interactive, useful, public, open, or available

  • Limitations = the current state of perceived and known limits for channels, operations, and controls as verified within the audit (e.g., rusty lock; see notes)

  • Perfect Security = the balance of security and controls with operations and limitations



Risk analysis
Risk Analysis

Analyzes Threats


Security analysis
Security Analysis

Measures Attack Surface

Cracks


Security conformity

(each target’s asset known to exist within the scope)

(the # of places where interaction can occur)

(measured as each relationship that exists wherever the target accepts interaction freely from another target within the scope)

Visibility

  • + Access

  • + Trust__

  • Porosity



Rav worksheet
RAV Worksheet

Click here


Review cswg testing certification
Review CSWG Testing & Certification

  • Is NISTIR 7628 Testable / Actionable?

  • Is AMI Security Profile 2.0 Testable / Actionable?

  • SGIP TCC Coordination Tasks

  • Miscellaneous Tasks


Outward support
Outward Support

  • CSWG Testing & Certification Sub-group

  • SG Security CyberSec-Interop


Review security conformity tf charter
Review Security Conformity TF Charter

  • Establish security conformance requirements for laboratories desiring to certify smart grid components and systems and;

  • Establish clear scoping boundaries, perform research to identify existing models, and propose a high-level philosophy of approach.

  • Chair: Bobby Brown, EnerNex

  • Vice-chair: needed (Sandy Bacik)